AUDIT: Allow login in non-init namespaces

It its possible to configure your PAM stack to refuse login if audit messages (about the login) were unable to be sent. This is common in many distros and thus normal configuration of many containers. The PAM modules determine if audit is enabled/disabled in the kernel based on the return value from sending an audit message on the netlink socket. If userspace gets back ECONNREFUSED it believes audit is disabled in the kernel. If it gets any other error else it refuses to let the login proceed. Just about ever since the introduction of namespaces the kernel audit subsystem has returned EPERM if the task sending a message was not in the init user or pid namespace. So many forms of containers have never worked if audit was enabled in the kernel. BUT if the container was not in net_init then the kernel network code would send ECONNREFUSED (instead of the audit code sending EPERM). Thus by pure accident/dumb luck/bug if an admin configured the PAM stack to reject all logins that didn't talk to audit, but then ran the login untility in the non-init_net namespace, it would work!! Clearly this was a bug, but it is a bug some people expected. With the introduction of network namespace support in 3.14-rc1 the two bugs stopped cancelling each other out. Now, containers in the non-init_net namespace refused to let users log in (just like PAM was configfured!) Obviously some people were not happy that what used to let users log in, now didn't! This fix is kinda hacky. We return ECONNREFUSED for all non-init relevant namespaces. That means that not only will the old broken non-init_net setups continue to work, now the broken non-init_pid or non-init_user setups will 'work'. They don't really work, since audit isn't logging things. But it's what most users want. In 3.15 we should have patches to support not only the non-init_net (3.14) namespace but also the non-init_pid and non-init_user namespace. So all will be right in the world. This just opens the doors wide open on 3.14 and hopefully makes users happy, if not the audit system... Reported-by: Andre Tomt <andre@tomt.net> Reported-by: Adam Richter <adam_richter2004@yahoo.com> Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Conflicts: kernel/audit.c
author: Eric Paris 2014-03-30 18:07:54 -0500
committer: Eric Paris 2014-03-31 14:36:41 -0500
commit: 543bc6a1a987672b79d6ebe8e2ab10471d8f1047 (patch)
tree: d8676d2ffc398094a19ea7158c1b5090a0cc20b9 /kernel
parent: 356750e35e86485c464704c0a32c1d8dc77590d7 (diff)
download: linux-phy-543bc6a1a987672b79d6ebe8e2ab10471d8f1047.tar.gz
linux-phy-543bc6a1a987672b79d6ebe8e2ab10471d8f1047.tar.xz
linux-phy-543bc6a1a987672b79d6ebe8e2ab10471d8f1047.zip
1 files changed, 11 insertions, 1 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index ad77d1e80895..873b965fdc58 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -608,8 +608,18 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
        int err = 0;
        /* Only support initial user namespace for now. */
+        /*
+         * We return ECONNREFUSED because it tricks userspace into thinking
+         * that audit was not configured into the kernel.  Lots of users
+         * configure their PAM stack (because that's what the distro does)
+         * to reject login if unable to send messages to audit.  If we return
+         * ECONNREFUSED the PAM stack thinks the kernel does not have audit
+         * configured in and will let login proceed.  If we return EPERM
+         * userspace will reject all logins.  This should be removed when we
+         * support non init namespaces!!
+         */
        if ((current_user_ns() != &init_user_ns))
-                return -EPERM;
+                return -ECONNREFUSED;
        switch (msg_type) {
        case AUDIT_LIST:
author	Eric Paris	2014-03-30 18:07:54 -0500
committer	Eric Paris	2014-03-31 14:36:41 -0500
commit	543bc6a1a987672b79d6ebe8e2ab10471d8f1047 (patch)
tree	d8676d2ffc398094a19ea7158c1b5090a0cc20b9 /kernel
parent	356750e35e86485c464704c0a32c1d8dc77590d7 (diff)
download	linux-phy-543bc6a1a987672b79d6ebe8e2ab10471d8f1047.tar.gz linux-phy-543bc6a1a987672b79d6ebe8e2ab10471d8f1047.tar.xz linux-phy-543bc6a1a987672b79d6ebe8e2ab10471d8f1047.zip

diff --git a/kernel/audit.c b/kernel/audit.c index ad77d1e80895..873b965fdc58 100644 --- a/kernel/audit.c +++ b/kernel/audit.c
@@ -608,8 +608,18 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
608	int err = 0;	608	int err = 0;
609		609
610	/* Only support initial user namespace for now. */	610	/* Only support initial user namespace for now. */
		611	/*
		612	* We return ECONNREFUSED because it tricks userspace into thinking
		613	* that audit was not configured into the kernel. Lots of users
		614	* configure their PAM stack (because that's what the distro does)
		615	* to reject login if unable to send messages to audit. If we return
		616	* ECONNREFUSED the PAM stack thinks the kernel does not have audit
		617	* configured in and will let login proceed. If we return EPERM
		618	* userspace will reject all logins. This should be removed when we
		619	* support non init namespaces!!
		620	*/
611	if ((current_user_ns() != &init_user_ns))	621	if ((current_user_ns() != &init_user_ns))
612	return -EPERM;	622	return -ECONNREFUSED;
613		623
614	switch (msg_type) {	624	switch (msg_type) {
615	case AUDIT_LIST:	625	case AUDIT_LIST: